FAQ - Information Vulnerability Laboratory
01. Why was the Vulnerability Lab built? 02. Who is behind this project?
03. How is an advisory published?
04. How can I participate in the project?
05. Who cannot participate in the project?
06. What does an author gain by releasing a weakness?
07. Who are the clients of the subscription feeds?
08. Who are not clients of the subscription feeds?
09. When is a vulnerability released and when will it not be released?
10. How does the Vulnerability Lab create a secure communication layer between authors & companies?
11. Do you also promote other groups / teams / researchers?
12. How can I contact the administrators of the Vulnerability Lab?
13. How can I contact the support team of the Vulnerability Lab?
14. I'am a vendor of a product. Where can I request details of the vulnerabilities found in certain products?
15. How can I find vulnerabilities from a certain author?
16. How can I find the vulnerabilities from a certain month?
17. Where can I search for certain vulnerabilities?
18. I have a good idea to improve the Vulnerability Lab. What email address can I send my ideas to?
19. I would like to become a customer of the Vulnerability-Lab. How to contact the lab to discuss all options?
20. I would like to have my products tested by the core team of the Vulnerability-Lab. How to?
21. What kind of vulnerabilities does the Vulnerability-Lab accept and detect?
22. Which products is Vulnerability-Lab mainly interested in?
23. What happens if two vulnerability researchers submit the same vulnerability to be verified?
24. How does Vulnerability-Lab protect the researcher?
25. Why are upcoming advisories only viewable with restrictions?
26. How do I follow your mobile/public RSS Feed?
27. What details, resources, and data are provided on an advisory?
28. How does the role system work?
29. How can I see the complete details of the upcoming advisories?
30. How long does it take since my account is activated by the moderators?
31. Does the Vulnerability Lab Team inform the Vendor or Manufacturer about every vulnerability?
32. Benefits for individual researcher charged with 0%?
33. Requirements/information for partners?_________________________________________________________________________________________________________1. Why was the Vulnerability-Lab built?
The official Vulnerability Laboratory (Vulnerability Lab) helps with the world's first independent bug bounty hacker community. Leverage their skills and creativity to surface your critical vulnerabilities before criminals can exploit them. The famous Vulnerability Laboratory platform seamlessly tracks all your reports, organizes your team and helps you coordinate an effective response. Our top researchers have published over hundreds of individual discovered vulnerabilities in popular or famous software, hardware, systems and web-application products. We had early decided to develop a secure vulnerability laboratory engine for the safe processing of our zero-day bug bounty security vulnerabilities. The vulnerability lab offers researchers and analysts a reliable and secure way to communicate with common manufacturers to disclose own vulnerabilities, security documents, and poc demo videos. The vulnerability lab infrastructure was the first registered company with a full verified running bug bounty model and license in the world with a confirmed registar sign. Vulnerability-Lab is committed to discovering vulnerabilities and collaborate with researchers for better software, service, network and application end-user security. The project is not limited and supports independent security research.
If you are a manufacturer, the vulnerability-lab will be an extremely valuable resource for information in detail about the current state of security for your software, services or web-applications. Vulnerability Lab owns a core research team that is able to identify and discover own vulnerabilities, security bugs and bad security practices in software, hardware, services, networks or web-applications. The team is bringing this information to one site where the public or only the manufacturers may be notified in a professional and timely manner. The vulnerability lab project was founded in february 2005 by Pim Campers and Benjamin Kunz Mejri.2. Who is behind this project?
The founder of the Vulnerability Lab is Benjamin Kunz Mejri. The administration is taken over by the international core team members of the Vulnerability Laboratory.3. How are advisories published?
A vulnerability is documented by a researcher himself and then transmitted to the vulnerability management web application approval dashboard via Researcher (Email) or manager account (UI Panel). In the next step the transferred vulnerability report is set to the status "Unpublished". Note that a registered non-public advisory can only be reviewed by administrators for security reason. After that, the advisory is in the verification process, which has 6 stages.
1st - Approval and Reproduce of the Bug or Vulnerability
Note: At first, a review of the submission is made.
2nd - The manufacturer or product vendor will be informed about the incident, vulnerability or bug
Note: Only if the vulnerability was properly described and criteria requirements are met, the issue will be sent securely to the manufacturer or product vendor.
3rd - Pending in Laboratory
Note: As soon as the vulnerability status changes to "Pending in Laboratory", the public information of the advisory will be censored publish in the laboratory upcomings.
4th - Verified by Vulnerability-Lab
Note: After the internal reproduce in the laboratory was successful the pending advisory will be included in the public listing of the vulnerability lab infrastructure.
5th - Accepted by Product Vendor or Manufacturer
Note: The status will change to "Accepted by Vendor", once we received a confirmation that the vulnerability is accepted for a fix/patch by the product manufacturer. In this phase, the permission of the manufacturer for publication is also requested and obtained.
6th - Public Disclosure (Acknowledgements, Bug Bounty & Co.)
After the final tweaks and updates to the advisory, the status will be changed to "Published". At that point the advisory is public to the active researchers, analysts, penetration testers, IPS, consultants or clients. After 2-3 days the advisory can be viewed by anonymous users of Vulnerability-Lab. The advisory will be released in the appropriate category and classified with the specific ids and reference links provided. The acknowledgements are stable included to the advisory document as link. The bug bounty is payed to the individuals or core team researchers in the same time period were the manufacturer fixed/patched the bug or vulnerability.4. How can I participate in the project?
Basically security analysts, security consultants, security researchers, code developers, core teams and institutions may participate in this project, provided that they want to publish one or multiple vulnerabilities per month/year. Precondition for participation is that the researcher accepts and withholds the rules (policy) set at the vulnerability laboratory.5. Who cannot participate in the project?
Since our project handles sensitive information which has not been published yet, not all nationalities can participate. The reason for this are current military conflicts between countries and information wars which we do not want to influence or want as customers/partners. Since we do not want to hand over our material to martial, offensive, religious, racist or fundamentally motivated groups, we try to exclude these groups from participation.
We do not want someone in the lab either, who copies vulnerabilities from other researchers or trades stolen / illegal / fake data. Excluded from participation are also people who want to publish material which has already been published several times and is already public. Owing to the core values of the vulnerability lab we do no transactions, nor do we collaborate with the following countries: North Korea, Afghanistan and the Lebanon. If serious researchers from these countries seek a way to publish an advisory, exceptions can be made after a review of the advisory. We do not support government institutions (government / offices / agencies), related to or neighboring companies / institutions from the above countries.6. What does an author of a vulnerability gain by releasing a weakness?
The author of an advisory has a good stable reference and can easily present himself to other industrial researchers, customers, clients or employers by his profile. The author may also appear in the press / news and can be involved in various ips or monitoring / notification systems. Thus way a researcher earn reputation for his work to the public independent sector of the industry. Active researcher can join to the internal community and core team or upcoming security events. We try our best to represent the authors and researchers in a serious and well respected way. Researchers can earn money by using the commercial programs without paying any tax percentage to our service. Our community also provides role upgrades to active researchers and secure email postboxes. Researchers will be invited to private programs for cooperation as well.7. Subscription of Commercial Research Feed - Early access to non-disclosed vulnerabilities?
The subscription feed is a premium early access permission to non-disclosed vulnerabilities with resources like pictures, security videos, a valid proof-of-concept or exploit and other unpublic analysis material. The subscription feed is commercial. The advisory subscription feed offers access to newst unpublic advisories. The service is available to improve isp and other notification / monitoring systems. The service is also available for researcher that want to optimize there experience or technical skills. We do not sell weaknesses to any individual by request, unserious manufacturers but we seek long-term collaboration with well-known services, instituts, bug bounty hunters or upcoming security researchers. The advisories of the shared the commercial researcher feed can use the details of the resources to reuse them on own analysis, notification services, IPS monitoring systems or to discover own security vulnerabilities. To receive information about the commercial research account please register a basic user account and click the upgrade role on top in the user menu to continue.8. Who are not clients of the subscription feeds?
Private people / companies without founded reasons can not subscribe to the vulnerability research feed. Basically, the person / company needs to state their reasons for subscribing and show that they are not involved in any illegal activities. Excluded from our services are North Korea, Afghanistan and Lebanon, as we can not verify their reasons and activities. If manufacturers are still interested, seriously wish to subscribe and can prove their reasons and activities, please do contact us.9. When is a vulnerability released and when will it not be released?
Generally, we are following our vulnerability advisory process where all the timing issues, delays of the vendor, responding time is defined. If the manufacturer has given permission to disclose an advisory (after a patch is available) and the vulnerability is conform to the rules, their vulnerability is likely to be released in the public. If an infringement of the rules is found, the Vulnerability Lab will at any time stop or hold the publication process.
Vulnerability-Lab is not obliged to inform the authors, nor to reveal which violation was committed. Vulnerabilities will in this case be deleted directly from all systems and will not be given out, sold, displayed or transmitted to anyone. It can happen that a very destructive vulnerability was sent to the lab and because of the destructiveness, we can not publish it or take responsibility as an interface between the manufacturer and the author. In this case we inform the author, of course, about the situation.No issues with specific target exploitation or destructive live hacks, links / ips (Censor it on your own or don't send!)
Non-persistent vulnerabilities are only disclosed after the impact and risk has been approved! Only famous services!
No 2nd or 3rd party publication of advisories, videos, vulnerabilities & documents!
Bad or encrypted detailed vulnerabilities, papers, videos & advisories!
No publication of stolen, ripped or grabbed documents / advisories / vulnerabilities!
We are not interested in unknown scripts, software, applications or modules!10. How does the Vulnerability-Lab create a secure communication layer between authors & companies?
The vulnerabilities will be sent encrypted to the manufacturers and can only be read by them. The manufacturers of a product or service receives a confidential e-mail which leads them to a special link in the Vulnerability-Lab. This link brings the manufacturers directly to the finished verified advisory. The interaction provides them all the details to recognize the gap, to investigate and verify it for themselves. Thus way allows the manufacturers to fix the vulnerability as soon as possible. After that the manufacturers can accept the vulnerability, which will allow us to finally publish the report. If a manufacturer knows that he addresses the vulnerability in the next 4-6 months for special reasons, he can also publish the advisory in advance. This option is only for manufacturers who wants/must/should inform their clients before the patch/fix becomes available. We also follow a specific disclosure Policy explained in the submit webpage.11. Do you promote also other groups / teams / researchers?
We encourage other groups who think that they can uphold a certain monthly amount of vulnerabilities. This number of publications and advisories should be stable and verified or be tailored specifically to one product line. If you are interested in a long term independent contribution as a team or a group, it will be necessary that a certain level is maintained. We also like single researchers who are looking for a team or want to join a legal working group of the vulnerability lab. Those who are interested can send an email to us as well.12. How can I contact the administrators of the Vulnerability-Lab?
Go to the contact page and select the correct admin email address. The link to the contact page is at the bottom of this page as well as the public pgp key for encryption.13. How can I contact the support team of the Vulnerability-Lab?
Go to the contact page and select the correct support email address. The link to the contact page is at the bottom of this page as well as the public pgp key for encryption.
14. I am vendor of a product. Where can I request details of the vulnerabilities found in certain products?
Go to the contact page and select the correct research email address. The link to the contact page is at the bottom of this page as well as the public pgp key for encryption.15. How can I find vulnerabilities from a certain author?
Click on the username of the requested author. After that the Vulnerability Lab will display all vulnerabilities released by that author.16. How can I find the vulnerabilities from a certain month?
Click on the index the date of one of the vulnerabilities of that month. Thus interaction will display all vulnerabilities from month of the year.17. Where can I search for certain vulnerabilities?
Go to the index page. The link to this page is located at the bottom of the page and called search. On this page enter cve/cwe/vl id and start your personal search query via submit.18. I have a good idea to improve the Vulnerability-Lab. Which email address can I send my ideas to?
Contact the main developers of the Vulnerability Lab engine by email.19. I would like to become a customer of the Vulnerability-Lab. How can I contact the lab to discuss the possibilities?
Contact the support team of the Vulnerability Lab online service web-application.20. I would like to have my products tested by the team of the Vulnerability Lab. How to?
Contact the support team of the Vulnerability Lab online service web-application21. What kind of vulnerabilities does the Vulnerability-Lab accept and detect?
Cross Site Scripting (Persistent/Non-Persistent) Vulnerabilities
Cross Site Request Forgery
Click-Jacking & Cam-Jacking
Unrestricted & unauthorized local / remote file include
Directory Traversal / Path Traversal
Authentication, Filter or Exception Bypass
SQL Injection & Blind SQL Injection
Input Validation Vulnerabilities (persistent / non-persistent)
Stack / Buffer / Heap / Integer / Unicode overflows
Local / Remote privilege escalation
Format Strings
Memory Corruption
Division / Divide by Zero Bugs
Pointer vulnerabilities (... Null Pointer, Access Violation, Read, Write)
Local / Remote command execution
Local / Remote code execution
Denial of Service & stable Firmware Freeze + Block
Filter Bypass & Restriction Bypass
Information leaking & information disclosure
Weak algorythm, weak encryption & weak ciphers
Misconfiguration of OS, systems & applications
Structure & design errors / flows
Kernel panic / black & blue screens
Stable application- & software-crashesIf you have a vulnerability that doesn't belong to one of these categories or you are not sure, you may still submit it for a review and we will evaluate it for you.
22. Which products is Vulnerability-Lab mainly interested in?
The Vulnerability-Lab is mainly interested in vulnerabilities of the following products.Most Used Software & Appliance /
Browser - Opera, Safari & Chrome, Internet Explorer
Mozilla Firefox & ThunderBird
Skype & other important VoiP Software
GPS & Tracking Applications
Encryption Software / Security Tools
Frameworks
Java / JRE
.NET
Ajax Frameworks
Famous Products & Applications
Citrix Appliance, Software & Services
Apple – MacOS , IPhone & IPOD
Oracle Software Products
PGP Security Suite
Apache Foundation: Jakarta/Tomcat / Apache Webserver
Cisco Software, Router OS
Microsoft ISA, ISS, Sharepoint Services
Microsoft Office Suite
Juniper Security Suite
Barracuda Security Suite
Operating-System
WinXP, Win2003,2008WS,Vista & Win7
FreeBSD, Slackware and OpenBSD
Fedora, Redhat, CentOS & ArchLinux
Debian, Ubuntu, SUSE(KDE) and MD
Solaris, Solaris10
IBM AIXHowever, this does not mean that vulnerabilities which do not refer to these products will not be accepted. It only means that we are very interested in vulnerabilities in specific products, such as famous vendor software, applications and services, etc. (over 1000 customers / users).
23. What happens, if two vulnerability researchers submit the same vulnerability to be verified?
We examine both the submitted vulnerabilities and take them through the verification process. Then, the researcher of the earlier submission will be accepted. The documentation of the second researcher will be removed or may, after consultation with the first submitting researcher, be used as a reference in the main advisory. So people can still use the documentation of the second advisory. The time span of a double submission is approx. 2 - 4 weeks, any vulnerabilities submitted later can not be accepted for verification. So basically the earliest submitting researcher decides whether the link to the second advisory will be implemented. Any researcher in the laboratory that receives a duplicate message, has the right to request the duplicate approval information with ID. Thus way we ensure that the researcher can approve the issue was a duplicate.24. How does Vulnerability Lab protect the researchers?
When a researcher, analyst or consultant does not want to show his identity for the lab index, references, ips or press, he can get the status - N/A Anonymous. The Vulnerability Lab will never disclose any details of researchers, analysts or members to public authorities, private agencies, companies or any other person. The Vulnerability Lab will also never reveal sessions, ips, e-mail addresses or physical locations. To protect the vulnerability researchers, we have included an encrypted exchange method for emails. Active researchers can easily send their encrypted material to be verified for new submitted vulnerabilities. To protect the authors, we also created a very good vulnerability discovery process for our own laboratory stable set into the code-line. As long as a researcher follows the specific policy of publication, nobody will get in trouble with the law, because the research activity denies illegal actions. All submitted contents of destructive nature will directly be deleted without any abuse notification to the police or the government. We are not interested in storing hacks, sessions or any other illegal material. IP adresses are only logged on illegal server attacks or malicious interaction for protection reason. Agressive or malicious acting IPs will be abused by the local server administrators as well. We have a quality approval mechanism that allows us to fix bugs within a short time span after the disclosure to protect the database as well. Payment information, account registrations and real names are not stored inside the Vulnerability Lab database management system, as far as the researcher or customer did not include into the username parameter. Researcher can also request us by email to receive the anonymous account access for interaction ago.
25. Why are upcoming advisories only censored or restricted visible?
Upcoming advisories are announcements for a incoming valid vulnerability, a new security related document or a security poc video. You can view the progress of the advisory publishment by checking the status indicator in the manager panel after activate via "upgrade" role. The Upcoming section is located on top of the laboratory to gain easy access for researchers and customers. Upcoming advisories only impact a censored title of the product, a reference id or vl-id link to the issue, the date of the report submit and the main community disclaimer. The advisories inside the upcoming feed are mainly censored for security reason to deny hack attacks against the product manufacturer or vendor. The visibility of the service is required, even if censored because of our transparent and open service model.
26. How do I follow your mobile/public RSS Feed?
To follow our public feed, we provide a twitter account for mobile phones and monitoring feeds. Feel free to follow our new little twitter feed and enjoy the silence.
Feed URL #1: twitter.com/vuln_lab
Feed URL #2: facebook.com/VulnerabilityLab
Feed URL #3: flickr.com/photos/vulnerabilitylab
Feed URL #4: youtube.com/user/vulnerability0lab
Feed URL #5: plus.google.com/116199358243715906237
We do as well own rss feed that are listed below by an internal source.
RSS URL #1: Index RSS Feed
RSS URL #2: Upcoming RSS Feed
RSS URL #3: Lab News RSS Feed
RSS URL #4: Magazine News RSS Feed
27. What details, resources, and data are provided on an advisory?
We provide the following details on our full zero-day advisories
Title: (Title of Advisory/Vulnerability)
======
Date: (Release Date of Advisory)
=====
References: (Reference Links - CWE/CVE ID)
===========
VL-ID: (Internal Vulnerability-Laboratory ID)
=====
CVE-ID: (Common Vulnerability Enumeration)
=====
Common Vulnerability Scoring System: (CVSS 3.0)
======================================
Vulnerability Class: (TOP 50 Vulnerability Classes - Typ)
=======================
Current Estimated Price: (Price Estimation with view on blackhat and whitehat markets) =======================
Introduction: (Product/Service/Website description of vendor with source)
=============
Abstract: (Short abstract information about the Vulnerability/Advisory)
=========
Report-Timeline: (Report Vulnerability;Vendor Notification;Vendor Response/Feedback;Vendor Fix/Patch;Public Disclosure)
================
Status: (Impacts: Pending on Laboratory; Verified by Laboratory; Accepted by Vendor; Published(Customer) or Published(Index)
==========
Exploitation-Technique: (Remote or Local)
=======================
Severity: (Impacts: Critical Flag(red), Elevated Flag(orange), Medium Flag(yellow), Low Flag(green)
=========
Affected: (Version & Product or Series)
===========
Technical Details: (Technical Details & Location of the Vulnerability/Bug)
====================
Proof of Concept: (PoC, Exploit, Reference Logs, Reference Links or Manual Description)
=================
Solution: (Solution or Fix and Patch)
=========
Risk: (Risk level description of author)
=====
Credits: (Author of the security advisory)
========
Disclaimer: (Copyrights, Law, Links & Service Information)
===========
Attachment: (Debug Logs, Dumps, Error logs, Exception Logs, Test Session Logs, Pictures & Documents or Videos.
28. How does the role system work?
Role ID - Anonymous:
The N/A Anonymous user account to report vulnerabilities without evading the privacy of a security researcher.
Username: N/A Anonymous
Password: 6.5R1-0z9U2d.12Gr69g28-36S10f.L56
Role ID - Researcher:
A Researcher is a registered user in the Laboratory and can view all advisory details on the index webpage. To register a researcher account its required to process the basic register formular on the index webpage.
Role ID - Customer:
Customers have access as normal researcher and access for sure the commercial research area were a non-disclosed vulnerabilities are visible. After the login as user a [Upgrade] button becomes available next to the role status. The link can be used to upgrade an exisiting account to a commercial customer research account.
Role ID - Manager:
Manager are researcher account with a own service panel access. The account is uncommercial and allows to review, submit or interaction with the lab. After the login as user a [Upgrade] button becomes available next to the role status. The link can be used to upgrade an exisiting account to a manager research account.
Role ID - Administrator:
The Administrators are controlling the service, implementing updates, and verifying advisories.
29. How can I see the complete details of the upcoming advisories?
The Vulnerability Lab protects upcoming issue of researchers against unauthorized access. We do not offer this option of access to any party.
30. How long does it take since my account is activated by the moderators?
It can take up to 24 hours since the vulnerability laboratory user account with researcher role is available. Mainly it takes some minutes since we approved the researchers information of the registration. By include of valid information to page or references we are able to speedup the verification as well.
31. Does the Vulnerability Lab Team inform the Vendor or Manufacturer about every vulnerability?
We try to, but sometimes it is not possible because, we received no response by the manufacturer, vendor and developer after trying to get in touch over the past weeks or month.
We try our best to inform all vendors. Feel free to ask the administration for open requests on that special topic.
32. Benefits for individual researcher charged with 0%?
We provide researchers fairly balanced benefits on usage of the Vulnerability Lab for the disclosure or manufacturer communication.We charge 0% commission of the manufacturer/vendor payments for zero-day vulnerabilities. The remaining 100% is only the researchers payout. We do not take any percentage amount of the the received benefits to security researchers for special reason. Please note that the percentage distribution of the benefits is after taxes following European law.
Why 0% charged on any Researcher startup ...?
We are working on a new & complete benefit program for hackers, analysts & researchers of our laboratory.
We will release the new benefit program in the next weeks ... so feel free to get a full payout by the vendors.
What you send is what you get ;) so feel free to submit a zero-day vulnerability.
We provide you with the vendor communication and verifications process of the payment to ensure, that you as researcher will have the complete overview about the transactions. This happens in addition to ensure we cover the transparent vulnerability lab business model.
Why 0% charged on any Researcher startup ...?
We are working on a new & complete benefit program for hackers, analysts & researchers of our laboratory.
We will release the new benefit program in the next weeks ... so feel free to get a full payout by the vendors.
What you send is what you get ;) so feel free to submit a zero-day vulnerability.
- Publication of Vulnerability/Bug by Researcher or Analyst
- Discovery Process
- Initial Researcher Communication
- Lab reports Advisory to Vendor
- Vendor communications and Agreements
- Vulnerability Verification Process
- Payout - Prize, Award & Benefits
33. Requirements/information for partners?
Vulnerability Lab - Disclosure Partnership Program
Step 1: Allowing inclusion
Consent for inclusion in the Security Vulnerability Lab Products List & delivery of specific product names.
Step 2: Admission to product testing list
The appropriate application or software can be included in a special private list for product safety testing.
Step 3: Penetration tests, List & Publication
The list is only provided for approved/qualifier researcher and penetration testers. Our certified testers can search for vulnerabilities in its products. You can decide whether they require additional demo systems available to increase the hit rate. Our goal is the publication of (minimum) 1 product vulnerability per month.
Step 4: Disclosure Process for Partners
After the submission of a vulnerability, the advisory will be verified in the laboratory and moved through the processes [Pending on Laboratory] over [Verified by Laboratory] to [Accepted by Vendor]. The partnership ensures that the forwarding of security holes are only the product vendor/manufacturer. [View: Upcoming]
Step 5: Public disclosure?
The vendor has the choice if the vulnerability is made publicly after fixing. Normal procedure is that after a bug is fixed its made public. If for a reason a vender doesnt want the bug to be public the vendor has to give prior notice to the Vulnerability-Lab team. (Before the fix has been released) If a vendor chooses to not wanting the bug to be publicly made available the bug will only stay in the private area of the Vulnerability-Lab.
Step 6: Banner
A banner will be placed on our partner site in the laboratory. On our partner site are all the trusted partners or sponsors that the Vulnerability-Lab has. vulnerability-lab.com/partners Its also possible to exchange banners.
Step 7: Now wait ...
At this point the Vulnerability-Lab team and its researchers will try and find bugs in your programs/appliances/etc.
